Kövesdán Gábor wrote:

pass in quick on rl0 proto udp from any to any port = 68 keep state
pass in quick proto udp from any to any port = 53 keep state keep frags

First I see that you have left out "on rl0" in this line.

pass in quick on rl0 proto tcp/udp from any to any port = 42 keep state keep
frags

you don't need this. dns uses port 53, both tcp and udp.

pass in quick on rl0 proto tcp from any to any port = 22 flags S keep state
pass in quick on rl0 proto tcp from any to any port = 25 keep state
pass in quick on rl0 proto tcp from any to any port = 21 keep state
pass in quick on rl0 proto tcp from any to any port = 20 keep state
pass in quick on rl0 proto tcp from any to any port = 80 keep state

use flags S for all tcp rules for your security.

block return-rst in log quick on rl0 proto tcp from any to any
block return-icmp-as-dest(port-unr) in log quick on rl0 proto udp from any
to any
block in quick on rl0 all

pass in quick on lo0 all
pass out quick on lo0 all

Everything seems okay, but the named. Neiher the ISP's nameserver (set by
the dhcp) nor the local nameserver works. BIND 9 wrote this to
/var/log/messages:

Jan 16 13:59:35 server named[1028]: starting BIND 9.3.0 -u named -t
/usr/local/named -c /etc/named.conf
Jan 16 13:59:35 server named[1028]: could not listen on UDP socket: address
in use
Jan 16 13:59:35 server named[1028]: creating IPv4 interface re0 failed;
interface ignored
Jan 16 13:59:35 server named[1028]: could not listen on UDP socket: address
in use
Jan 16 13:59:35 server named[1028]: creating IPv4 interface lo0 failed;
interface ignored
Jan 16 13:59:35 server named[1028]: not listening on any interfaces
Jan 16 13:59:35 server named[1028]: /etc/named.conf:14: couldn't add command
channel 127.0.0.1#953: address in
 use
Jan 16 13:59:35 server named[1028]: could not listen on UDP socket:
permission denied
Jan 16 13:59:35 server named[1028]: creating IPv4 interface re0 failed;
interface ignored
Jan 16 13:59:35 server named[1028]: could not listen on UDP socket:
permission denied
Jan 16 13:59:35 server named[1028]: creating IPv4 interface lo0 failed;
interface ignored


The rndc doesn't matter, I'm not going to use it, but the neither named can listen on the network and the loopback interface. Could You suggest me any solution for this trouble? Btw, this machine is going to be a web, dns, mail, etc. server and is being tested on an ordinary cable connection, that's why I'm using dhcp.

First, the named problem does not seem to relate with the firewall ruleset - try take the host off line, flush all rules and see if you can start named or get the same error.


For your security, I suggest you use groups to organize the rules and write a default action explicitly, first lines:

block in all
block out all

(no quick here). Then split according to interface, first let lo0 loose:

pass in quick on lo0 all
pass out quick on lo0 all

follow with groups for each interface. Groups really helps you tracking down filter problems and staying sane. See the ipf-howto. Also be consistent using "keep state keep frags" and "flags S" everywhere.

I see you have tried to setup ftp also in the above ruleset, ftp won't work with this, but it really requires understanding of ftp to get it right. Maybe keep it simple and remove ftp for a start.

Cheers, Erik

--
Ph: +34.666334818                                  web: www.locolomo.org
S/MIME Certificate: http://www.locolomo.org/crt/2004071206.crt
Subject ID:  A9:76:7A:ED:06:95:2B:8D:48:97:CE:F2:3F:42:C8:F2:22:DE:4C:B9
Fingerprint: 4A:E8:63:38:46:F6:9A:5D:B4:DC:29:41:3F:62:D3:0A:73:25:67:C2
_______________________________________________
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Reply via email to